Stolen iPhone? Your iMessages may still be going to the wrong place

iPhone owners shouldn't have to worry that a thief might receive their …

Those who have had a phone lost or stolen are familiar with the horrors that follow: the thief (or the person he sold your phone to) starts to send texts as you to your family and friends, leaving you scrambling to de-activate the device as soon as possible. For modern iPhone owners, though, such a phenomenon should be in the distant past thanks to the advent of remote wipe capabilities, right?

Perhaps not. Some unlucky iPhone owners are beginning to discover that, despite their best efforts to remove all information from their stolen phones, thieves and unsuspecting buyers are still able to send and receive iMessages as the original owner—even after the device is registered under a new account. Almost nothing seems to work—remote wiping, changing Apple ID passwords, or even moving the old phone number to a new phone—and users are becoming more than frustrated that thieves are so easily able to pose as them.

What's happening

Our attention was drawn to this story by Ars reader David Hovis, whose house was recently burglarized and his wife's iPhone 4S was stolen. According to Hovis, his wife deactivated her iPhone with her carrier, remote wiped it, and immediately changed her Apple ID password—"we picked up a new iPhone the next day, figuring that our insurance would end up paying for it," Hovis told Ars.

For most users, this would be the end of the story. The phone number had been transferred to a new device and the old one had been deactivated; what more is there to say? A lot, apparently, and in the form of iMessages. The thief who stole Mrs. Hovis' iPhone had sold the device to an unsuspecting buyer elsewhere in the state, and the buyer had begun sending and receiving iMessages from the phone as Mrs. Hovis—even though the stolen phone had apparently now been activated under a new number.

Hovis iMessaged back and forth with the new owner—his iMessages, incidentally, going to both his wife's new phone and the old phone at the same time—but the new owner came off as confused and uncooperative, and the whole situation seemed to be at a dead end. That's when Hovis began searching online, discovering that such a thing has happened to other iPhone users as well.

In a MacRumors forum thread from late October/early November, multiple users tell very similar stories about stolen iPhones and misdirected iMessages. The original poster of the thread remote wiped, changed his Apple ID e-mail and password, suspended his service through Verizon, and iMessages sent to him still went through to the stolen phone. Another user named PDiggles said his stolen iPhone was being used by someone going by "BigDaddy," but when PDiggles' friend tried to iMessage PDiggles, BigDaddy had replied back saying the friend had the wrong number (indicating that the phone had indeed been activated under a new number).

A separate thread posted on the Apple Support boards discusses the same issue. A user named mindy1285 says her stolen iPhone 3GS is still receiving iMessages sent to her phone number, even though she already has a new phone activated on that number. Further down in the thread, she points out that the person who now has her stolen 3GS isn't receiving regular phone calls or even normal SMSs sent to her number—only iMessages sent from other iPhone users appear to be making their way through to the stolen phone.

Why is it happening?

We reached out to Apple to ask why this seems to be happening and how it can be prevented, but the company has not responded to our request for comment. So we turned to iOS security expert Jonathan Zdziarski for his opinion on how a stolen (or even just an old, retired) device could be holding onto an iMessage identifier.

"I can only speculate, but I can see this being plausible," Zdziarski told Ars. "iMessage registers with the subscriber's phone number from the SIM, so let's say you restore the phone, it will still read the phone number from the SIM. I suppose if you change the SIM out after the phone has been configured, the old number might be cached somewhere either on the phone or on Apple's servers with the UDID of the phone."

In other words, iMessage may be pulling the old phone number from a cache somewhere and continuing to use it on the device if the SIM was removed after it was configured as a new phone. We were unable to test this theory (and keep in mind that it's just a theory), but it certainly sounds like one of the more logical explanations for this phenomenon.

But my iPhone is still stolen. Now what?

This could be the first major kink in Apple's iMessage setup since the service was rolled out as part of iOS 5 in October. Otherwise, iMessage works well as a seamless replacement for SMS between those using iOS devices, and users generally seem quite happy with the service. So what are you to do if your iPhone is lost, stolen, or just resold and you don't want your iMessages going through to the new owner?

The original poster from the MacRumors forum thread, andrewhdn, eventually said he was able to resolve the issue by registering his new iPhone under a brand new Apple ID and canceling his old Apple ID completely. (This shouldn't have worked, according to what AppleCare and iTunes representatives told him originally, but he claims his iMessages "work fine now.") There's one major downside to this option, however: ditching an Apple ID completely means that you no longer have access to your past music and TV purchases through iTunes—apparently "not a big deal" for andrewhdn, but we can see this being a sticking point for those who buy lots of media.

Have any other Ars readers run into this problem? If so, what were your solutions (if any) to making sure your iMessages weren't going to the wrong place? We'll continue to press Apple on this issue to see if we can get further clarification, but in the meantime, make sure to keep an extra close eye on your iPhones so they stay out of the wrong hands.

Update: Twitter user Kim Hunter told me that he spoke with "Apple [security]," who told him it's not a security problem and to turn iMessage off on the offending device. When I pointed out that you can't turn iMessage off on a device that has been stolen because it's not in your hands anymore, he agreed: "exactly, i found the issue when i put my sim in a friends phone to activate it. then they were able to send/view/obseve all my mess."

Hmm. I have lost two iPhones to theft in the past. Fortunately they are both too old to run iOS 5.

However, my company (edit: i work there, i dont own it) runs about 20 iPhone 4's, all on iOS 5. Wouldn't be nice if confidiental iMessages continued being sent to a stolen, wiped corporate iPhone.

Has this happened to people who have legitimately sold on their iPhones? It seems this bug might be quite easy to reproduce.

I really wouldn't want to give up my Apple ID - it contains several hundred quids worth of purchases. I don't use iCloud or the Lion App store yet, but closing an Apple ID might result in losing access to many expensive software purchases or data in iCloud.

Could this indicate some problems with the underlying remote wipe implementation? I know that is one of the big things that many large corporate customers require on an official "work" phone, and if there is any further issues, could theoretically nix it as an allowable device. I'd heard the latest releases of Android and iOS were supposed to be bringing in a lot of those security policies, but this is the first I'd heard about issues with anything.

i thought stolen iPhones could be disabled/tracked if you reported it stolen to the carrier?

(and yo what's up with this music blasting when pages load. i think it's the samsung ad in the top right?)

Almost everyone in this story (including the original person who contacted me) spoke with their carriers to track and eventually de-activate the stolen phones. That's the whole point. The iMessages still go through!

(As for the Samsung ad, I'm not sure what that's all about but I've brought it up to our tech team for you. It's not happening for me, though, and I see that ad.)

It looks like the phone number is tied together with the Device ID on Apple's servers when you setup iMessage and there is no way to change this anymore then. Pretty obviously somewhat like that is needed to make iMessage work but offering no mechanism to wipe that info is shoddy implementation.

I use separate Apple accounts: one for the app store and another for iCloud/iMessages/FaceTime. I did this when iOS was released in order to separate my personal information while still sharing app purchases with my family. Apparently it avoids this iMessage problem too, as I could easily delete my iMessage account while still retaining all my purchases.

I'm pretty surprised by the shocking blunders Apple make - especially in regards private access and information. In a sense you wouldn't mind if it was the other less important stuff like dodgy wifi or crashing apps or wallpapers that don't load properly but for me all that stuff is solid as a rock. It's when it comes to location data, phone wiping - where it really matters, that they get it wrong and they're clever chaps... The good news is they usually fix it pretty fast.

Well, if the problem has existed this long and Apple hasn't responded, I think the affected users should sue Apple and see if this will get their attention.

This could be a privacy/security issue since the new owners of stolen iPhones would be getting private messages intended for the original owner. What if the guy go "Hey I forgot that password for the server, could you message to me" (bad security practice, but ppl do it anyways) and someone else now have your server password.

So far it seems it's only a few cases, but Apple totally could have pull some strings and get these individual cases fixed while they work on a permanent fix.

Seriously, Apple's silence to important issues is starting to irate me. Before when they only a smaller following, the fanboys are willing to suffer. Now that Apple are more mainstream, not everyone is going to take this kind of treatment willingly.

i thought stolen iPhones could be disabled/tracked if you reported it stolen to the carrier?

(and yo what's up with this music blasting when pages load. i think it's the samsung ad in the top right?)

Almost everyone in this story (including the original person who contacted me) spoke with their carriers to track and eventually de-activate the stolen phones. That's the whole point. The iMessages still go through!

(As for the Samsung ad, I'm not sure what that's all about but I've brought it up to our tech team for you. It's not happening for me, though, and I see that ad.)

How did the thief and/or stolen-goods purchaser activate a stolen smartphone? I thought they had unique IDs burned in, and if they tried to activate a stolen phone at a carrier they would be denied (and the cops called)?

Looks like I am stuck in the last century! Doesn't every phone have an IMEI number? I thought if your phone is stolen you give the IMEI number to the operator to deactivate the phone (the device is blacklisted on the network). Dealers can re-program a stolen phone with a different IMEI number, but there are a limited number in circulation (in practice they need a smashed or dunked phone damaged BER to get an unused, legitimate IMEI). Don't iPhones use this system? How come they can send SMS on the phone network? I am missing something here.

^Technically an iMessage isn't an SMS although it can be. That being said everyone seems to insist that the phones have been reactivated using a different phone number (different SIM).

I don't think the US carriers blacklist the IMEI number.

For my next phone I'm going to do some serious research on finding a smartphone that can be incrediably locked down remotely. Not just setting the passcode, but changing the passcode. Where it also won't do a complete wipe, but just does a partial wipe allowing me to still track it. In fact I want it to go as far as not allowing anyone else to attain ownership.

Has it occurred to anyone that the order in which things are done after the theft might have an effect? Was the number changed before or after the wiping? Would it make a difference if the thief set a new number before it was wiped?

It seems to me that Apple could set up a service by which it would permanently lock out a phone if a valid police report were provided.

I would also like to see "Where is my iPhone" expanded to include the ability to turn on tracking which would record a track of the location of the device through time, even when the owner is not logged into the "Where is…" app or website. Finally, a feature to signal when a phone becomes visible would complete the feature set. This would send an SMS, email, iChat or phone call when a phone is connected. It seem that this could be done based on hardware address even if the thief changes the sim card.

It could be a premium feature. Someone would be happy to pay $50 to turn it on.

That's what I love about standards. A group of people spend years working out a system that works (like the IMEI system) and then some twat goes and makes up his own incompatible proprietary version that tries to do the same thing but doesn't work properly. I suppose Apple will just have to revise their system if it doesn't meet the requirements. Presumably they'll never include the IMEI in the authentication and use the already-built system.

Recently, I purchased a new iPhone 4S for my wife, gave her iPhone 4 to my sister-in-law, and recommissioned the 3GS my sister-in-law was using as a baby monitor. All were on iOS 5 using iMessage. According to the above, my wife's iMessages should have been sent to both the new 4S and the old 4, while my sister-in-law's iMessages should have been sent to the 4 and the old 3GS. Neither of these happened. Another theory might be that Apple keeps the device ID cached until a new AppleID is registered from that device. If the thieves never set up a new AppleID on the stolen device, the device ID would remain cached and iMessages would go to both the new and old device. My sister-in-law registered her AppleID to the iPhone 4 as soon as she got it so there would not have been time for a mixup of iMessages.

Recently, I purchased a new iPhone 4S for my wife, gave her iPhone 4 to my sister-in-law, and recommissioned the 3GS my sister-in-law was using as a baby monitor. All were on iOS 5 using iMessage. According to the above, my wife's iMessages should have been sent to both the new 4S and the old 4, while my sister-in-law's iMessages should have been sent to the 4 and the old 3GS. Neither of these happened. Another theory might be that Apple keeps the device ID cached until a new AppleID is registered from that device. If the thieves never set up a new AppleID on the stolen device, the device ID would remain cached and iMessages would go to both the new and old device. My sister-in-law registered her AppleID to the iPhone 4 as soon as she got it so there would not have been time for a mixup of iMessages.

I tried remote wiping my old 3GS as a test and I did not get the associated iMessages. I'm willing to accept that it is a corner case, but it definitely really happened.

What difference does it make that they changed the number? iMessage works on iPads/iPod Touches as well, perhaps it puts the serial numbers of all of the user's iOS devices on that person's AppleID account, and just sends them to that serial numbered device regardless of the actual AppleID that is being used.

That would explain why deleting an AppleID would work since it would delete the serial numbers associated to the account.

If that happened to me I would be spamming the hell out of that iMessage account (if your data plan is the unlimited grandfathered one). All hours, all day. Make my stolen phone a real PITA to own or use. Imagine seeing 200 notices every time I turned it on. Not to mention having to turn the message chime off every night.

Looks like I am stuck in the last century! Doesn't every phone have an IMEI number? I thought if your phone is stolen you give the IMEI number to the operator to deactivate the phone (the device is blacklisted on the network). Dealers can re-program a stolen phone with a different IMEI number, but there are a limited number in circulation (in practice they need a smashed or dunked phone damaged BER to get an unused, legitimate IMEI). Don't iPhones use this system? How come they can send SMS on the phone network? I am missing something here.

Because carriers don't like to deactivate/blacklist the IMEI.For them a stolen phone is still a working phone that is making phone calls and bringing in money.

i thought stolen iPhones could be disabled/tracked if you reported it stolen to the carrier?

(and yo what's up with this music blasting when pages load. i think it's the samsung ad in the top right?)

Almost everyone in this story (including the original person who contacted me) spoke with their carriers to track and eventually de-activate the stolen phones. That's the whole point. The iMessages still go through!

(As for the Samsung ad, I'm not sure what that's all about but I've brought it up to our tech team for you. It's not happening for me, though, and I see that ad.)

aye, by deactivate i figured the carriers were sending the IMEI to the blacklist, like some others have suggested. i guess it doesn't work like that?

US carriers love stolen phones. It means an additional handset sale (for the existing customer) and probably adding a new customer (whoever ends up with the stolen phone). In the rest of the civilized world, trying to activate a stolen phone means that you first have to explain to the police where you got it.

US carriers love stolen phones. It means an additional handset sale (for the existing customer) and probably adding a new customer (whoever ends up with the stolen phone). In the rest of the civilized world, trying to activate a stolen phone means that you first have to explain to the police where you got it.

Right, and the stolen user pays the full subsidized monthly fee without having a subsidized phone. It's win/win for the US carriers!

I just posted an update, but a Twitter follower told me he had the same issue when he popped his SIM into a friend's iPhone to activate it. After that, his friend was able to observe ALL of his iMessages even though his friend was later using a different SIM. I think Zdziarski's theory is correct: if a phone is configured as a new device with your SIM, it will assume that iMessage ID whether or not it's supposed to.